 For those of you who don't know me, my name is Howard Chu. I'm a founder and CTO of this company, Simon's Corporation. We're kind of based in the US. We were founded in Los Angeles, but now everybody is scattered to different parts of the world. Like I took off to Ireland and people are in France, wherever. I personally have been writing open source software since the 1980s. I actually did write a lot of the code that runs the internet. Diego wasn't kidding about that. I've also worked on a lot of the developer tools that most programmers still use today. Almost all of the GNU compiler tools, GNU make, the linker, the debugger. I've been through all of that code. I have a personal policy that I do not use software that I haven't touched myself. So everything that, like this Android distro that I'm running on this phone is one that I built. Everything on my laptop, the Linux systems, I contributed drivers to the kernel and basically, yeah, I won't touch anything that's closed source. If I can't get my hands inside it, I won't use it. I did a few years working for NASA at the Jet Propulsion Laboratory in Pasadena. I worked on the space shuttle for three years. That was good fun. So I actually do have software that's been in orbit and never crash. Okay. More recently I've been working on database technology. This database engine I developed in 2011 has turned out to be the world's fastest, smallest and most reliable transactional database. That's kind of interesting because Monero uses it now, so that's kind of cool. I've been working on the Open LDAP project for almost 20 years. We turned that from a small research piece of code into production quality code that today is the world's fastest distributed database. So lots of other stuff. And I've actually been working in security software for quite a long time. Again, a lot of the foundational defensive software that you see on UNIX systems that came out of work that I did back at JPL. I've also spent some time reverse engineering, hacking on proprietary protocols like the stuff that Adobe used. And these things are still out there on the web. You can still find RTMP Dump on GitHub and the FFMpeg project. Okay. So, topics for this talk. What is Monero? I mean you got kind of a flavor of that with Diego's introduction, but I'll get a little bit more comprehensive about that. Now this talk is not going to be diving deep into the math or the real details of technology. The Monero Research Lab guys will cover that more through this weekend. But you'll get a nice overview. So first of all, what is Monero? We talked about this. It's a totally private cryptocurrency, but it's still built on a public blockchain. It's still built on a blockchain that anybody can participate in. The thing about it that's special though is all the transactions that show up in the blockchain are still opaque. That means you can't see the details of what's going on inside each transaction, but you can see that the transaction happened. Okay. And where does this main Monero come from? Well, it's actually just a simple word for money. It comes from the Esperanto language. How many of you guys are familiar with Esperanto? Okay. It's a hacker crowd. That's obviously an easy question. Okay. This project started in 2014, so it's only just barely four years old now. Here's a snapshot from a coin market cap. It's kind of hard to read, but the basic message here is that about a year ago Monero was worth $22 for coin. I updated this last night. It's about $98, somewhere around a hundred bucks. Back in January, it reached a peak of $400-some, so it's had its ups and downs. Okay. So first of all, a really basic definition of what is a cryptocurrency. Okay. And the one I posted up here is literally just copied out of Wikipedia. Most of the cryptocurrencies that exist today, and there's at least 1,000 of them now. Most of them are forks of the Bitcoin code, and the Bitcoin code base was released in 2009. The main feature that makes some cryptocurrencies, that makes some cryptographic, the cryptography is just used to create what's called artificial scarcity. Because normally, when you've got digital technologies, you can copy them at will. You've got a file you can create as many copies as you want. And obviously, in a currency, you need things to be rare or actually unique. If I have a $10 coin, I shouldn't be able to make net copies of that $10 coin and keep spending them. If you did that, you wouldn't have a working currency. So the trick with cryptocurrencies is the cryptography is used to ensure scarcity. Every transaction that occurs in one of these cryptocurrencies is recorded on what's called a blockchain, and basically a blockchain is just a public distributed record, a distributed ledger. So blockchains, they're basically a distributed database. It's a distributed database with what we call group commit, which means you batch a whole bunch of transactions into a single group, and you commit them into the database all at once. This terminology helps me because I come here from a distributed database background. I don't know if it helps you so much, but that's where we are. So transactions are grouped into blocks and they get committed at one time, and typically there's a very high commit latency. That means blocks don't happen very frequently. For example, in Bitcoin, a block is committed on average about once every 10 minutes, and in normal databases like SQL, whatever you would expect commits to happen within a few milliseconds. So this is a really stark defining difference between blockchain and regular databases. In Monero, the block time is 2 minutes, so it's a little more frequent, but still it's much slower than you're used to in the database world. The other thing about blockchain that makes it a chain is that every block carries a signature of the blockchain block, a hash, cryptographic hash. And as each block chains back to, with the hash of its previous one, you can start from the tail and work towards the head and know that every block is valid because every block has the correct hash. If you run across a block that doesn't have the correct hash, if it's preceding one, then you know that something is broken on your blockchain, somebody's been tampering, or that sort of thing. Now, again, in these cryptocurrencies, the blocks and the transactions are broadcast, basically. They're transmitted across peer-to-peer networks. So everybody who wants to use the currency generally has to participate in this network. So every node in the network actually validates every single block. They validate the signatures for each one. This kind of processing is extremely redundant. That means you've got a network of a million nodes and a million nodes are doing the exact same calculation each time. It's highly redundant. But that's intentional because when everybody is doing the same calculation, they should all get the same answer. If any one of them gets a different answer, you know that something is broken somewhere in your network. So the act of producing these blocks, compiling them together, is called mining. And mining is, again, it's extremely compute intensive based on proof of work. I'm not talking about proof of stake. That's a completely different system. So we're just talking about how Bitcoin, Monero, and several other similar coins operate. The cost of mining is actually an essential part of the security of the system. Because it costs significant resources to perform mining, that means it's very expensive to attack the network and try to forge data. Again, mining is a bit of a competition. It's a race. So the miner that generates the next block first gets a reward for doing so. Now, race conditions do occur frequently where multiple miners could produce different blocks at about the same time. In the database world, we call this eventual consistency. The chain doesn't always agree with itself all the time. But eventually it'll converge to a single longest chain. So I reference Bitcoin a lot because it was the first digital currency that's really been successful to any extent. And their aim was to be trustless and permissionless and a decentralized system. Now, you have to understand the context of the world when Bitcoin was created. This was in 2008, 2009, just after the last global recession. And the creation of Bitcoin was a direct reaction to the mismanagement of the world's funds by the global banks, central banks. So you get people who see, gee, the global banks just screwed us all. How can we create a money system that doesn't have that as an element in how the system works? So this is what led to the creation of Bitcoin. And they realized that successful money system may have some very essential properties. It must be trustless. The system should operate without any trusted third party. The banks were the trusted third parties and they broke their trust. They screwed a lot of people. There was a lot of corruption going on, a lot of false accounting going on. And so when you place your value in a trusted third party, that third party isn't worth your trust. You're totally screwed. So you want a system that doesn't require a trusted third party. They wanted the system to be permissionless so that anybody can use it and nobody can deny you use of that. Again, if you look at the modern banking system, a simple example here in the US, marijuana is legal in many states in the country now. But a lot of businesses can't actually deal in marijuana and have bank accounts because the banking regulations say they're not allowed to do this. So again, when you've got this centralized trusted third party that decides who can and can't use the money system, it leads to unfair discrimination and exclusion. So again, if you're going to build a new system, you want it to have properties that allow everybody to use it equally and fairly. And then this leads to the last point of decentralization. The only way you can guarantee that nobody is going to lock people out is if there's no central point of control. If there's no central decision maker who can say, oh, I like this guy using the coin, but I don't want this guy using the coin, you have to have the power diffused enough that no single entity can make arbitrary decisions like that. Okay. So what's that? That's what this slide says right here. So Bitcoin has all these great ideals, but in fact it fails in multiple ways. It is not actually permissionless. We already have documented examples of users and accounts being banned or shut off from access, coins being blacklisted based on their usage history. So it is a fact that people can control who gets access to the Bitcoin network. It is not decentralized. If you look at the distribution of mining power on the Bitcoin network, it is like 80% of that is based in a couple small cities in China and the rest of the world doesn't even amount to 15%. So there is a strong centralization happening here. It also doesn't actually behave like cash. It doesn't behave like money. When you spend a coin, when you send a coin to a vendor, you're giving the vendor your complete financial history and actually you're seeing the vendors complete financial history at the same time. You see each other's wallet address and you suddenly know everything there is to know about their spending habits. So this, I mean this, it's insane to even think of it as money, right? If you think like, okay, I've got a 50 cent coin in my pocket and I give it to this guy and he tosses into a coin jar, all right? Nobody can look at that coin jar and say, oh yeah, Howard put 50 cents in there. There's no way to know that, all right? And if looking, you know, if the guy with the coin jar is there, he can't tell, oh yeah, Howard still has $12 in his pocket. You know, there's no way to know that in a regular exchange of real money. But in Bitcoin, these things are all revealed and revealing these things is detrimental, you know, if you're running a business, if you're trying to do, jeez, if you're trying to buy a surprise gift for somebody. All of these things are totally legitimate use cases for regular money, but they can't be achieved on a public blockchain like Bitcoin. So it fails as a currency, it also fails just as a technology, okay? The Bitcoin network today is claimed to support seven transactions per second, okay? If you look at the statistics, it never actually gets faster than three and a half transactions per second, okay? And you know, put that in perspective, a credit card processing network will handle thousands of transactions per second. So you're talking about this global currency and proclaiming it can be used for everything, but it can't even manage, you know, a hundredth of what a typical existing currency network already does. The other problems, I mean, technology-wise, you know, the code in Bitcoin is loaded with hard coded constants that constrain how it behaves. And these constants tend to be a source of great controversy in the Bitcoin developer community. You know, this one megabyte block size limit has been there and has been a source of great controversy for at least three years. The other thing, you know, the Bitcoin coin distribution, it's set to have a fixed coin supply. And so eventually the last coin will be issued in mining and nobody actually knows if the mining network will continue to operate after that event, right? Because they're trusting that miners will still want to mine based on transaction fees in each block, but there's actually no incentive for them when the main block reward goes to zero. So Monero, in a lot of ways you can think of Monero as Bitcoin 2.0, right? It's a system that people designed four years after Bitcoin existed, so they've observed a lot of the problems that exist in the Bitcoin technology and they've come up with solutions to most of these, right? Maybe not all of them. It is actually permissionless, right? Coins are fungible, so they can't be banned, they can't be censored. Coins don't have any history, so you can't choose to ban them. It is actually fairly decentralized in comparison to Bitcoin, it's much more decentralized. The proof of work algorithm makes centralization more difficult, okay? Now, in the past six months we've had some examples that would challenge this assertion, but I'll get into that later. It actually does behave like cash, right? When you spend a Monero, that doesn't reveal anything about what's left in your wallet and it doesn't reveal anything to the buyer or the seller about each other's holdings. So it actually does behave like money. The technology is dynamically scalable, right? There aren't really any hard coded constants in the code base that limit its performance. It has a perpetual tail emission, Diego mentioned this earlier this morning, so at the beginning, alright, you've got a large amount of coins being emitted and then the number of coins tails off to a small value, but it never drops below .3 coins per minute, right? .6 per block. The code base is based on something called Crypto Note, which is a completely separate independent code base from Bitcoin, so it doesn't inherit any of Bitcoin's bugs, but it also, I mean, there's a downside which is we don't inherit any of Bitcoin's adoption either. So just to give you some insight into how the number of coins will progress over time, the blue line here is the Bitcoin coin emission curve, and you can see it will max out eventually at 22 million or whatever the value is, and right around the year 2040, the Monero curve will cross the Bitcoin curve and it will continue growing from that point. Okay, so how does all of this actually work, right? How does Monero ensure that it remains permissionless? And to be permissionless requires you to be uncensorable and to be uncensorable requires fungibility. Diego talked a little bit about that this morning. This is probably one of the most important characteristics that makes money what it is and makes it usable, right? So again, one coin equals any other coin, one X mark equals one X mark. Every coin is indistinguishable from every other coin, and to get that you have to have privacy and anonymity for all of your transactions. Once you've established that any coin is completely private, that means it has no individual history that can be traced. And once you have no history, then there's nothing for a controlling entity to try and ban. Again, compared to Bitcoin and pretty much every other coin that's based on Bitcoin, the sender address and the receiver address are both public, they're both recorded forever in the blockchain. The transaction amount is public and any particular coin can be traced all the way back to its data creation. So you can see everybody who's held it from any point in time. So you cannot have fungibility without total privacy and anonymity for every transaction. Now there are some cryptocurrencies out there that provide optional privacy. Or they only obscure one or two elements of a transaction. But because the use of privacy is optional, the majority of transactions are still transparent and the ones that aren't transparent actually stick out. They become noteworthy. And once they become noteworthy and distinguishable, they're traced. The other problem is in practice when privacy is optional, the majority of people won't actually use it. They won't even know, they may not even be aware that they need to choose to use it. Okay so there are a bunch of different elements of a transaction that will show up on a blockchain. How are we protecting each of these elements? First of all, your wallet address, the long string of digits that identifies your wallet never actually appears in the blockchain. The addresses that you talk about and give to each other when you say, hey send me money to this address, those never appear in the blockchain. Instead we use stealth addresses. And the stealth address is randomly generated and it's a one-time use. So since it's randomly generated, it can't actually be associated back to any actual wallet address. So everything that's recorded in the blockchain stands on its own. It can't be linked back to any original wallet. So that protects recipients. Now how do we protect the identity of the sender? We have something called a ring signature. So instead of a transaction containing just one coin that a sender is sending out, it actually contains multiple decoys. And currently the narrow ring size is set at seven, which means there's one real coin and six decoys. There's another trick to using ring signatures. The ones we use are called traceable, which means we can generate a key image that goes with each ring signature. And that key image is unique. It's uniquely associated with the coin that's being spent. So we can identify if a double spend attempt is being made. So if you're familiar with public key cryptography, you know there's always a key pair. There's a public key and a private key. If you encrypt a message with the public key, you can only decrypt it with a private key and vice versa. If you encrypt a message with a private key, you can only decrypt it with a public key. So that's a standard single signature. In a ring signature you actually associate multiple private keys with a message. Anybody can observe this and verify that all of the participants in that ring signature had a valid key, but you cannot identify which one is the original sender. A more recent improvement in Monero. This was deployed January 2017. It's called ring confidential transactions. And so prior to this, prior to January 2017, the transaction amounts were published. But with confidential transactions, the transaction amounts are also hidden. And the funny thing about CT is this technology was developed by a Bitcoin developer for use in Bitcoin and they still haven't deployed it. This was developed three or four years ago and actually Monero was the first to deploy it. And the technology underlying confidential transactions is also based on ring signatures. So there's an ongoing theme there. So I'll give you the basics of how this works. I'm not going to go into great depth here because that's somebody else's talk. But the idea is you store a transaction amount in what's called a Peterson commitment and you are committing to hash of the actual value. So you don't actually show $10 or whatever. You generate a hash of the actual value. And it's a special kind of a hash. These hashes can actually be added to each other and the result is still a valid sum. So the sum of two hashes is equal to the hash of the final value. And that means you can independently verify that the inputs and the output are exactly what they claim to be even though you don't know the numbers inside. Now there's a problem which is that if you can't see the values inside it's possible for somebody to play a game putting negative numbers in or whatever. So we also require a range proof that asserts that the values are actually within a valid range. Values have to be within 0 to 2 to the 64 minus 1. And so this range proof is basically it says in our case into binary we represent it as a string of binary digits and we just construct a ring signature for each digit. It says oh yeah this digit could be 0 or 1. The next digit could be 0 or 2, could be 0 or 4 or 0 or 8 and before all these together it's good to create the final value. And as Diego mentioned a range quite large it's something like 1200 bytes for proof. So this has a bit of a cost on our network we're working to reduce that cost when we introduce bullet proofs later this year. Another element of privacy that some people talk about is hiding the network address when you actually create a transaction. So we've been working with something called the ITP call. It's very similar to TOR or it's comparable in its purpose and it'll hide the internet addresses of all the participating network nodes. The project that's working on ITP is called COVERY and they actually had their first alpha release just about a week ago. So that's moving right along and Anonymous is here this weekend and he'll be talking more about COVERY as well. So decentralization this has been a pretty hot topic in the past couple of months. The proof of work algorithm that the minors execute is called kryptonite and it was designed to be memory hard which means it uses a lot of RAM and it depends on the slowness of RAM to make it hard work. It actually uses multiple crypto algorithms. It uses AES-256 it uses Kessek, Blake, and Bressel and a bunch of other crypto hash algorithms. It was resistant to ASIC implementation primarily due to the cost of putting a lot of RAM on a chip. That's really the main protection it depended on. It's kind of difficult to implement on GPUs because it uses a large number of random accesses into memory so it uses a large amount of memory and it uses it in random order. GPUs are optimized to access memory in sequential order. So there were some considerations to how to make this memory hard but I'll get more into that later. In comparison, mining hash is based on SHA-256 which is a cryptographic hash that's been around for a few years and it was designed intentionally to be very efficient and very easy to implement. So the Bitcoin hash is actually quite trivial to put into hardware in silicon and that's kind of what has led to Bitcoin's problems today. There are a couple of chip manufacturers in China that can make super optimized SHA-256 chips and they keep them all for themselves. Cryptonite it was a good idea for 2013 when it was designed but there are actually Cryptonite A6 in existence today. I'm wearing some actually. These are A6, I love them. But the thing you have to realize is memory hardness is not a good idea because memory is a fast moving target. Every three years memory capacity doubles. Capacity doubles and the speeds increase. So to base your entire defense on memory hardness to me that was stupid. Now I wasn't around in 2013 so I couldn't tell these guys that. Today I'm going to say that memory hardness is a stupid feature for a proof of work. It's not adequate. And I've proposed a new algorithm it's called RandomJS. There's actually two projects out there now. One of them is called ProgrammablePOW. I helped design that as well. That's aimed more at GPUs. And RandomJS is aimed more at CPUs. But I would say there's nothing exclusive in those designs they could work on either. So the main idea here is you want a proof of work algorithm that actually exploits the features of a general purpose CPU. If you look at the SHA-236 algorithm it was made to be easy to build in hardware. Its purpose was to be very fast and very efficient. And if you want proof of work you want the work to actually be hard. It should actually take some time, it should take energy and it should take difficult computations. So that's the idea behind Programm, proof of work. And these are I mean the proof of concept has been out for a couple months and a more final implementation exists today and it's just undergoing testing now. So as opposed to Bitcoin with its fixed block size and its three and a half transactions per second in Monero the block size is dynamic. It's based on the median block size of the previous 100 blocks and the limit I mean the only reason to limit the block size is because we're afraid of spam. We're afraid of somebody who's going to generate hundreds or thousands of dummy transactions just to clog the network. So with a fixed or with a limited block size the fee goes up as you start raising the block size. So somebody who's trying to generate thousands of spam transactions it gets very expensive for them to keep that up. Also the transaction fee is calculated based on the transaction size and the block size so all of this feeds together and says if you're generating a lot of this stuff you're going to pay more. Now the fee is also dynamic in that as the legitimate usage increases the fee will decrease. And again that's based on a median of the previous 100 blocks. There's another element of scalability which is simply the size of the blockchain data and this is actually where my involvement in Monero begins. The original Monero code kept all of its blockchain in memory in RAM. If you're working with a PC that's only got a 32 bit processor you can't use more than 2 or 4 gigs of RAM and then you're done. So the Monero project realized they were running into a brick wall they needed to move the blockchain from RAM into a database. So just some stats. January 2015 the blockchain was 5 gigabytes in size when they put it into the LMDB database suddenly the RAM usage dropped to only 10 megabytes. And just not only was using LMDB saving memory for them it actually saved time even with their memory-only database which you would expect a memory-only data structure should be super fast it should be a zillion times faster than this but in reality maybe because that code just wasn't all that great it was much slower so even with only 585,000 blocks it took 4.2 hours to sync that whole chain whereas with LMDB at a million blocks it took only 10 minutes so using LMDB was a huge step in ensuring scalability for this blockchain. I just measured this a couple weeks ago I got a first-generation Raspberry Pi it can sync the whole blockchain it will take a couple of months but it can be done but it can be done ok so one of the things that bugs me a lot I come to software from an efficiency standpoint primarily. I've also worked in security and I understand the trade-offs there but you have to understand that these two needs these two demands are completely opposed to each other to get network privacy and anonymity you have to slow down network performance a whole lot because you're sending traffic through multiple hops instead of just sending it by the most direct path to get unchained privacy and anonymity you're sacrificing a lot of performance and efficiency because your transactions are so much larger now to carry this extra data that obscures the original amounts and the original addresses there's a tension here that I don't see a quick resolution to and this becomes more important over time if you look at these money supply emission curves they draw these things out to the year 2050 the bitcoin guys believed that bitcoin would be the money of the future and everybody would be using it 30 years later and I don't think that's really a valid viewpoint if you listen to some people they're saying we're going to have colonies on mars by 2030 ok now if that's true it could happen Elon musk is going to mars if that happens that means the currency of the future must work at interplanetary scale and bitcoin won't do it minero actually won't do it either so what we have today is only the rough beginnings none of the technology that we use today is still going to be viable 10 or 20 years from now it's going to be completely different we may still call it minero but it's not going to be based on the same code as we're running today the final takeaways minero is the world's first cryptocurrency that actually behaves like money it's fungible, it's private, it's anonymous when you spend it you don't give away any extra information for yourself the design of minero didn't come out of nowhere it did benefit from observing bitcoin studying bitcoin and seeing all of its flaws saying hey look, we know how to fix these and it does work today but it's only one step there's a long evolution ahead of us yes the blacklist exists because of those other funky forks basically basically it's not the same as we talk about a bitcoin blacklist basically we're saying here are a couple of outputs that have been used on another chain that forked the minero chain and for you to use them as decoys in a valid transaction would be dangerous because bitcoin blockchain is stored in google level db and that sucks okay alright in lmdb the design is it's fully transactional which means every right is actually atomic level db is not a transactional database they say that they support atomic rights so I actually have very little respect for level db for a number of reasons but mostly because they lie they misrepresent its capabilities okay here's the thing like lmdb stores all of its data in a single file within a single file it is possible for you to do a sequence of operations that shows up in one atomic instant level db stores its data in multiple files it is actually impossible for you to update multiple files and have that become visible in one atomic instant there are always multiple intervals of time where you can see intermediate states and it's those intermediate states that trip you up if the machine crashes while it's in the middle of updating a sequence of files because there's no atomic update earlier you mentioned there's no speaker earlier you mentioned bitcoin had trouble changing something as simple as a hard coded value how do you see Monero you're talking about even changing proof of work in Monero which seems like a much grander change how do you see governance playing into that and do you see an eventual bit coinification of the governance you kind of move into a comfortable state it's worth too much money you can't make these changes without having big problems or worries that's a good question and I'm not sure I know the answer to that I would say eventually it probably will get to that point but we're not there yet right now everybody understands this is an experiment everybody understands we upgrade every six months that's just you sign up it's kind of churn when you participate every six months this is going to change eventually we may slow that down and say every one year this is going to change and then it may slow down even further after that but we're not there yet why are the the coin transactions so slow why are they so slow there's a lot of factors that feed into that database performance is an element of slow database bit coin transactions are slow for network propagation reasons they're trying to throttle the transaction rate so that a single transaction has time to propagate to the entire network it's a large network that's going to be slow there's a lot of factors okay would Monero have the same issues with slow transaction speed maybe my personal belief is that we cannot have a single global cryptocurrency the example with colonies on mars should prove that to you we actually need some kind of sharding or fractional networks that's really the only way to keep performance up and cover large scale yeah well we have work going under way to support crooning for the blockchain so that'll reduce the size in the future does that answer your question or was it a different question the Monero network itself is not working on storing arbitrary data we want to store financial transactions and nothing else but there are other sidechains in the future does blackballing constitute an attack on fungibility but creating the transactions that needed to be blackballed yeah forking is certainly a threat I mean otherwise we wouldn't have had to go to the step of blackballing and we had to warn people if you're using xmc or xmo or xmv whatever the heck they all were if you're using these things with your existing Monero wallet with your existing coins you're going to be putting all of the networks at risk any other yeah what can we do to help adoption of Covree and start integrating it to the apps that you care about you know all of this is volunteer work so whenever somebody says I want this to happen they just do it or it won't happen since every ring signature has a key image you can actually detect that yeah yeah okay so at one point in time for a glorious eight months I had a company called Monero Direct that allowed you to purchase Monero using dollars, euros, pounds whatever we've shuttered that company for the moment because our payment processor got acquired by another company and that other company had weird policies towards cryptocurrency so we couldn't continue with them now in the meantime we still use Kraken.com I mean I use them because I can buy directly with euros one more one more what am I working on next at the moment I'm actually trying to get LMDB 1.0 out the door and one of the interesting features that we've added in 1.0 is database level encryption and part of the reason that feature exists is so that we can start moving the Monero wallet into LMDB and keep all the data encrypted